Stop Saying, ‘We Take Your Privacy and Security Seriously’

Also stop saying &quot;Before you go further...&quot; we need to share your data with tens of corporations. &#x2F;s<p>Note to non-EU users: Techcrunch is completely blocking the page with a popup asking me to share my location and behavioral data (for advertising purposes) with a probably very long list of companies (something called &quot;Oath&quot; family).<p>The logos shown are for Yahoo, Aol, Autoblog, Huffpost and Engadget.<p>Nah. I&#x27;ll skip as always :D

Say it, when you do. Say: <i>We take your Privacy and Security seriously that is why we won’t ever store a tracking cookie on your machine. If you still want to support us by different means, click here</i><p>Anybody who takes your privacy seriously won’t even have to ask for consent, because there is nothing to ask for

This is slightly off topic and relatively minor, but man does it represent the piss poor state of Tech writers and their articles.<p>&quot;I was curious how often this go-to one liner was used. I scraped every reported notification to the California attorney general, a requirement under state law in the event of a breach or security lapse, stitched them together, and converted it into machine-readable text.<p>About one-third of all 285 data breach notifications had some variation of the line.&quot;<p>Don&#x27;t bother providing a link to either you data source or your code, the ability for someone to independently verify the validity of this claim and its results isn&#x27;t important, we&#x27;ll just &quot;trust&quot; you.

The ironies of reading articles about the pathologies of the 2019 digital economy are... well...<p>The publications where you might read about the problem are likely contributers to it.<p>From the EU, before you read about companies abusing your privacy you first go through their &quot;consent&quot; page, maliciously designed to prevent readers from preventing &quot;the Oauth family&quot; from giving whatever data they can get on you to advertisers.<p>Then you get to read the article:<p>&quot;<i>I’ve never understood exactly what it means when a company says it values my privacy. If that were the case, data hungry companies like Google and Facebook, which sell data about you to advertisers, wouldn’t even exist.&quot;</i><p>... TC&#x27;s modus operandi &amp; business model appears to be the same.<p>On many occasions I have read an article bemoaning fake news that was framed by &quot;native ads,&quot; pretending to be articles, and promoting fake science (one wierd trick), apocalypse cults and worse.

‘We Take Your Privacy and Security. Seriously.’

Lot of companies are shooting themselves in their own foot by sharing critical data with a plethora of third-parties.<p>They put sensitive information like username, orderid in the URL which is then shared with all the third-parties on that page, simply because referrers are not sanitized.<p>This happens:<p>- Without user-consent<p>- More dangerously without the companies knowing it too.<p>On reporting, the companies do not want to fix these issues.<p>Shameless plug: You can find some of such cases, which I&#x27;ve been trying to highlight to the companies:<p>- <a href="https:&#x2F;&#x2F;medium.freecodecamp.org&#x2F;how-airlines-dont-care-about-your-privacy-case-study-emirates-com-6271b3b8474b" rel="nofollow">https:&#x2F;&#x2F;medium.freecodecamp.org&#x2F;how-airlines-dont-care-about...</a><p>- <a href="https:&#x2F;&#x2F;threatpost.com&#x2F;def-con-2018-telltale-urls-leak-pii-to-dozens-of-third-parties&#x2F;134960&#x2F;" rel="nofollow">https:&#x2F;&#x2F;threatpost.com&#x2F;def-con-2018-telltale-urls-leak-pii-t...</a><p>- <a href="https:&#x2F;&#x2F;cliqz.com&#x2F;en&#x2F;magazine&#x2F;lufthansa-data-leak-what-a-single-url-can-reveal-about-you" rel="nofollow">https:&#x2F;&#x2F;cliqz.com&#x2F;en&#x2F;magazine&#x2F;lufthansa-data-leak-what-a-sin...</a><p>- <a href="https:&#x2F;&#x2F;fosdem.org&#x2F;2019&#x2F;schedule&#x2F;event&#x2F;web_extensions_exposing_privacy_leaks&#x2F;" rel="nofollow">https:&#x2F;&#x2F;fosdem.org&#x2F;2019&#x2F;schedule&#x2F;event&#x2F;web_extensions_exposi...</a>

Ohh something related to my area! I work with security&#x2F;data management and often I get to have access to client organizations for a variety of reasons; most of our clients are banks, pharmaceuticals and pension funds, among others.<p>&quot;We take your privacy and security seriously&quot; from some rando company doesn&#x27;t even make me roll my eyes because of how desensitized I am to that whole concept. It&#x27;s genuinely appalling how often banks have no clue of who has access to what data inside their organization: tons of people having accesses they shouldn&#x27;t and nobody keeps track of it? Of course. Database copies stored in random hard drives sitting on tables? Why, naturally! Attestation processes? What&#x27;s that? We&#x27;re not talking about small entities either. These people would be years away from something not too hard like an iso27001 certification.<p>In short: all of our data is in an incredibly precarious situation and we&#x27;re fucked forever. I don&#x27;t get outraged at leaks nowadays, I just laugh at it.<p>edit: interestingly enough, in my experience pharmas care far more about data security than banks do (I assume that is because they have more shit to hide).

You enter a coffee shop. Before you can do anything, the owner takes a photo of you, and grabs your hand to take your finger print. He quickly writes down the date, time and what clothes you are wearing.<p>He gives you a smile as he starts his speech. &quot;Before we continue, we at Coffee City want you to know we deeply value your privacy. We need your permission to store your information, improve your coffee experience, personalize your coffee suggestions and share it with our partners. Do you consent?&quot;<p>You don&#x27;t fucking value my privacy. I get some serious doublespeak vibes. If you valued my privacy you&#x27;d leave me the fuck alone and stop saving information about me.<p>IMO GDPR doesn&#x27;t go far enough. Even these popups are wasting my valuable time and invade my privacy due to the ease it is to accidentally consent to some stupid bullshit while navigating the 20 windows needed to reject all consent.<p>We should outlaw even asking for consent to store personal information for any user that didn&#x27;t log into your site. If I do not have an account with you, I&#x27;m not your user, we don&#x27;t have an extended relationship and you have no business storing information about me.

Troy Hunt wrote about this a few years ago, with the pithy headline &#x27;“We take security seriously”, otherwise known as “We didn’t take it seriously enough”&#x27;<p><a href="https:&#x2F;&#x2F;www.troyhunt.com&#x2F;we-take-security-seriously-otherwise&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.troyhunt.com&#x2F;we-take-security-seriously-otherwis...</a>

I agree. The phrase &quot;we take your privacy and security seriously&quot; is an inherent oxymoron; meaning the opposite of what it says.<p>I really like, and have copied, Tesla&#x27;s note to security researchers. <a href="https:&#x2F;&#x2F;www.tesla.com&#x2F;about&#x2F;security" rel="nofollow">https:&#x2F;&#x2F;www.tesla.com&#x2F;about&#x2F;security</a><p>I had to clean up one breach a few years ago. It was, gulp, a breach of HIPAA-covered health info. We wrote to our customers saying<p>&quot;We&#x27;re sorry. We unintentionally sent your blahblah sheet to the wrong hospital. We have spoken to the person at that hospital who received it and confirmed that they erased your information. Again, we apologize. If you have questions don&#x27;t hesitate to call us at xxx-xxx-xxxx&quot;<p>We could have blamed the the third-party vendor who actually made the mistake. We could have spewed oxymorons. But this message was successful and true: nobody sued us and the govt didn&#x27;t write us up.<p>The breach, admittedly, was only a few dozen records. It could have been much worse.<p>A lesson for tech people: when you have a breach DRAFT THE PUBLIC STATEMENT RIGHT AWAY so you can hand it to your executives and crisis PR people. That way your company has a chance of doing it right.

I must chime in on this subject.<p>To take a community college course, the application online form is asking pretty much every piece of your info, birthday, SSN, family income, ethnicity, future plan, current situation, home address, many personal preference, phone, email, immigration status, marriage status, gender, education background, military background, job experience, you name it. Nearly all of them are mandatory. Anyone can get hold of this record pretty much owns you.<p>Why do they need all this for just taking a course that I&#x27;m going to pay by credit card?<p>This is not uncommon in other areas, in the future we may need provide our DNA code as an attachment? talking about privacy protection is a joke these days.

It&#x27;s right up there with &quot;your call is very important to us&quot; and &quot;best of luck in your future endeavors&quot;.

A question:<p>What is privacy issue exactly about ? I see regular posts on HN about it. Is it about storing user-data on my end or sharing the user-data with third party or not taking the user consent.<p>P.S. - Trying to understand the root cause because I work with a startup building SAAS and would like to avoid such mistakes.

We take your privacy seriously is the kind of language you&#x27;d expect from a company that doesn&#x27;t want to make specific commitments. That company isn&#x27;t putting any skin in the game with that claim; every company claims that.<p>Therefore I am not surprised and won&#x27;t be holding my breath.

I just added security.txt to one of my sites. Great reminder!

Weasel words. &quot;That&#x27;s a great question! Mistakes were made, it&#x27;s a really hard problem, but we&#x27;re working on it.&quot;

Spent 10 minutes trying to prevent TC &#x2F; Oath from using my personal data. 5 clicks and proving I&#x27;m not a robot before reaching a privacy dashboard. Except, to actually set my preferences to not track me I first need to agree to tracking! And if I don&#x27;t allow 3rd party cookies to track me I cannot withdraw consent.<p>GDPR was meant to allow users to refuse consent without detriment, and to not to force consent to use the service. Oath clearly violates GDPR, yet regulators have done nothing in 10 months.

Also stop saying &quot;We understand players concerns with [AAA greed mechanic here]&quot;

I read that as &quot;we know you&#x27;re mad&quot; which seems accurate to me.

It&#x27;s similar to &quot;don&#x27;t be evil&quot;.

Or at least put a crying face emoji after saying it.

LOL, not only does TechCruch say that, but they also infest your session with tracking cookies.<p>Hard pass.